[HTTP] Internal routes cannot be used in href tags on serverless
#163678
Labels
bug
Fixes for quality problems that affect the customer experience
discuss
Feature:http
Team:Core
Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Comments
jloleysens
added
discuss
Feature:http
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
|
One approach is for us to provide the same workaround as we do for communicating versions, but instead of requiring it to be explicitly enabled we will accept a request to an internal route if:
This way we can use internal, restricted HTTP APIs in download tags too. If we go this route, I think we should make these concepts first class citizens in the browser's fetch implementation by providing a way to set the query param via an option on the fetch interface. |
jloleysens
added
the
bug
|
The |
This was referenced Aug 14, 2023
[HTTP] Allow for internal requests to also specify special query param
elasticInternalOrigin
#163796
Merged
jloleysens
added a commit
that referenced
this issue
Aug 21, 2023
…m `elasticInternalOrigin` (#163796) ## Summary Closes #163678 * Raise the notion of "internal" into `CoreKibanaRequest`. This enables us to share this with lifecycle handlers and control validation of query params * Added new `isInternalRequest` alongside `isSystemRequest` and `isFakeRequest` * Slight simplification to existing internal restriction check * Some other chores and minor fixes ## Test * Start ES with `yarn es serverless` and Kibana with `yarn start --serverless --server.restrictInternalApis=true` * Add the service account token to `kibana.dev.yml`: `elasticsearch.serviceAccountToken: <SAT>` * Send a request to an internal endpoint like: `curl -XPOST -uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H 'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'` * Should give you a 400 result * message like `{"statusCode":400,"error":"Bad Request","message":"uri [http://localhost:5603/api/files/find] with method [post] exists but is not available with the current configuration"}` * Send the same request, but include the query param: `elasticInternalOrigin=true` * Should give you a 200 result --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Aug 21, 2023
…m `elasticInternalOrigin` (elastic#163796) ## Summary Closes elastic#163678 * Raise the notion of "internal" into `CoreKibanaRequest`. This enables us to share this with lifecycle handlers and control validation of query params * Added new `isInternalRequest` alongside `isSystemRequest` and `isFakeRequest` * Slight simplification to existing internal restriction check * Some other chores and minor fixes ## Test * Start ES with `yarn es serverless` and Kibana with `yarn start --serverless --server.restrictInternalApis=true` * Add the service account token to `kibana.dev.yml`: `elasticsearch.serviceAccountToken: <SAT>` * Send a request to an internal endpoint like: `curl -XPOST -uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H 'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'` * Should give you a 400 result * message like `{"statusCode":400,"error":"Bad Request","message":"uri [http://localhost:5603/api/files/find] with method [post] exists but is not available with the current configuration"}` * Send the same request, but include the query param: `elasticInternalOrigin=true` * Should give you a 200 result --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 23d3955)
kibanamachine
referenced
this issue
Aug 21, 2023
…ry param `elasticInternalOrigin` (#163796) (#164278) # Backport This will backport the following commits from `main` to `8.10`: - [[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)](#163796) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Jean-Louis Leysens","email":"jeanlouis.leysens@elastic.co"},"sourceCommit":{"committedDate":"2023-08-21T09:55:33Z","message":"[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/163678\r\n\r\n* Raise the notion of \"internal\" into `CoreKibanaRequest`. This enables\r\nus to share this with lifecycle handlers and control validation of query\r\nparams\r\n* Added new `isInternalRequest` alongside `isSystemRequest` and\r\n`isFakeRequest`\r\n* Slight simplification to existing internal restriction check\r\n* Some other chores and minor fixes\r\n\r\n## Test\r\n\r\n* Start ES with `yarn es serverless` and Kibana with `yarn start\r\n--serverless --server.restrictInternalApis=true`\r\n* Add the service account token to `kibana.dev.yml`:\r\n`elasticsearch.serviceAccountToken: <SAT>`\r\n* Send a request to an internal endpoint like: `curl -XPOST\r\n-uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H\r\n'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'`\r\n * Should give you a 400 result\r\n* message like `{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"uri\r\n[http://localhost:5603/api/files/find] with method [post] exists but is\r\nnot available with the current configuration\"}`\r\n* Send the same request, but include the query param:\r\n`elasticInternalOrigin=true`\r\n * Should give you a 200 result\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"23d39555e0d0fc36c760f0c148913db69749cb47","branchLabelMapping":{"^v8.10.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:http","Team:Core","release_note:skip","v8.10.0","v8.11.0"],"number":163796,"url":"https://github.com/elastic/kibana/pull/163796","mergeCommit":{"message":"[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/163678\r\n\r\n* Raise the notion of \"internal\" into `CoreKibanaRequest`. This enables\r\nus to share this with lifecycle handlers and control validation of query\r\nparams\r\n* Added new `isInternalRequest` alongside `isSystemRequest` and\r\n`isFakeRequest`\r\n* Slight simplification to existing internal restriction check\r\n* Some other chores and minor fixes\r\n\r\n## Test\r\n\r\n* Start ES with `yarn es serverless` and Kibana with `yarn start\r\n--serverless --server.restrictInternalApis=true`\r\n* Add the service account token to `kibana.dev.yml`:\r\n`elasticsearch.serviceAccountToken: <SAT>`\r\n* Send a request to an internal endpoint like: `curl -XPOST\r\n-uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H\r\n'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'`\r\n * Should give you a 400 result\r\n* message like `{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"uri\r\n[http://localhost:5603/api/files/find] with method [post] exists but is\r\nnot available with the current configuration\"}`\r\n* Send the same request, but include the query param:\r\n`elasticInternalOrigin=true`\r\n * Should give you a 200 result\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"23d39555e0d0fc36c760f0c148913db69749cb47"}},"sourceBranch":"main","suggestedTargetBranches":["8.11"],"targetPullRequestStates":[{"branch":"main","label":"v8.10.0","labelRegex":"^v8.10.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/163796","number":163796,"mergeCommit":{"message":"[HTTP] Allow for internal requests to also specify special query param `elasticInternalOrigin` (#163796)\n\n## Summary\r\n\r\nCloses https://github.com/elastic/kibana/issues/163678\r\n\r\n* Raise the notion of \"internal\" into `CoreKibanaRequest`. This enables\r\nus to share this with lifecycle handlers and control validation of query\r\nparams\r\n* Added new `isInternalRequest` alongside `isSystemRequest` and\r\n`isFakeRequest`\r\n* Slight simplification to existing internal restriction check\r\n* Some other chores and minor fixes\r\n\r\n## Test\r\n\r\n* Start ES with `yarn es serverless` and Kibana with `yarn start\r\n--serverless --server.restrictInternalApis=true`\r\n* Add the service account token to `kibana.dev.yml`:\r\n`elasticsearch.serviceAccountToken: <SAT>`\r\n* Send a request to an internal endpoint like: `curl -XPOST\r\n-uelastic:changeme http://localhost:5601/<base-path>/api/files/find -H\r\n'kbn-xsrf: foo' -H 'content-type: application/json' -d '{}'`\r\n * Should give you a 400 result\r\n* message like `{\"statusCode\":400,\"error\":\"Bad Request\",\"message\":\"uri\r\n[http://localhost:5603/api/files/find] with method [post] exists but is\r\nnot available with the current configuration\"}`\r\n* Send the same request, but include the query param:\r\n`elasticInternalOrigin=true`\r\n * Should give you a 200 result\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"23d39555e0d0fc36c760f0c148913db69749cb47"}},{"branch":"8.11","label":"v8.11.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jean-Louis Leysens <jeanlouis.leysens@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a route is
access: internaland we turn onserver.restrictInternalApis(as we have for serverless) these routes require the presence ofx-elastic-internal-originto be usable. This renders the route unusable in hrefs where headers cannot be specified (affected are especially file downloads).This is similar to the issue we face when we make a route internal and versioned.
The text was updated successfully, but these errors were encountered: